Use the following video resources (a few freebies) to find out if there are any gaps.

1. Kelly Handerhan at Cybrary
2. Pete Zerger on YouTube
3. Mike Chapple on LinkedIn (He has authored books)
4. Rob Witcher on Destination Certification site and YouTube (He has authored books)
5. Andrew Ramdayal on YouTube with 50 questions and mindset
6. Prabh Nair - CISSP Prep (Coffee Shots) on YouTube
   
   

---

@jmpffff0000 wrote:

 

So, I've been in the industry a few decades, started with cracking software copy protection back in the BBS days, spent some years in the military (mostly infosec, sigint etc related), started a few technology companies and am running a couple companies now, including an MSSP, with security consulting on the side. 

---

Back when I became a CISSP (2004) I was in a bit of a similar boat. The hardest part is codifying what you know into the language of the (ISC)2. You will also come across subjective things that people can insist are objective. Heck even the term "cybersecurity" rankles some people. A small example are the definitions of "data," "information," and "intelligence." How the (ISC)2 uses those words vs CompTIA, vs, say, the military can vary. You'll even find cases within their own materials that a certifying body may be very insistent on a word, and then a chapter later, they're using terms interchangeably.

That's where I think the Official Study Guide is helpful. Know the vocabulary. The other thing too is that you do realize that you really don't know it all. For example, you're going to be tested on anything from governance, to software development, to fire suppression systems in data centers. That was really the cool thing about the CISSP and the (ISC)2 - it was a very comprehensive exam, and you really felt your experience was being tested as much your ability digest study materials.

On that note, I see endless threads about people fretting over the exam or trying find tricks to it. They miss the whole point. It is a certification exam. Your ability to pass it should come somewhat naturally because you've been doing this stuff and doing it right for a while. Just as you shouldn't want to game the system to pass a pilot's exam, no one should look to just barely or cleverly become a CISSP - your wellbeing and that of others depends on your ability to perform, not be clever.

You need practice exams to condition your brain for the exercise. However, certainly in my time, and I think it is still this way, if you know the material, you will have ample time to complete the exam. There are some really bad practice tests/questions sets out there -- remember these are not written by the people who write the exam. 

I was in the same position ... many years of industry experience and many years since I had taken any multiple-choice exam.

I studied harder than I probably needed to but since I was footing the bill I figured buying a few books was a good bet vs needing to pay for a retake.

In the end, my studies did not really teach me much that I did not intuitively know, but they aligned me to the industry terminology and indoctrinated me into the ISC2 group-think.

For example, in CISSP speak, I faced a risk of doubling my costs if I were to fail the exam. My risk appetite/tolerance did not include paying out-of-pocket a second time. I chose to reduce my risk by purchasing a few books and studying more. This reduced my likelihood of failure.  If ISC2 offered free retakes, the impact to my wallet would have been reduced to just my time, which I am also willing to accept.  Had my employer paid, I probably would have accepted the risk and just tried taking the exam because "its not my money".  And nowadays, I could purchase "Pease of mind protection" to transfer the risk to ISC2.  Or, I could avoid the risk altogether by not taking the exam.

Now, I am ready to be tested by ISC2 on "risk treatments" (accept, reduce, transfer, avoid) and also on risk measurement (risk = likelihood * impact).

Thanks everyone, this is all super helpful!  😁